M.Sc Thesis

M.Sc StudentNeumann Lior
SubjectSecurity Analysis of the Bluetooth Pairing Protocol
DepartmentDepartment of Computer Science
Supervisor PROF. Eli Biham
Full Thesis textFull thesis text - English Version


The Bluetooth protocol is one of the most popular standards for wireless communications between mobile devices. Bluetooth establishes mutual encryption keys using the Elliptic Curve Diffie-Hellman (aka. ECDH) key-exchange protocol. To mitigate MitM attacks, Bluetooth authenticates the ECDH key-exchange. In this thesis we show that the authentication is insufficient and does not provide the MitM protection promised by the standard.

The ECDH protocol uses a mathematical object called elliptic-curve to establish cryptographic key-exchange over a public channel. Cryptographic key-exchange is usually done by two participants using public parameters established in advance. The key-exchange begins when each participant generates a pair of private and public keys. Then both participants publish their public keys, one after the other. Finally, both participants compute the shared secret using their own private key and the public key of the other participant. Note that the public keys in ECDH are points, which are pairs of coordinates  on the elliptic curve.

In this thesis we present a new attack on protocols based on ECDH and demonstrate its application to the Bluetooth pairing protocol. Our attack exploits the ability to modify the y-coordinates of the public keys (while preserving the x-coordinates). We named the attack ``The Fixed Coordinate Invalid Curve Attack''. Unlike the well-known ``Invalid Curve Attack'' of Biehl et. al., which recovers the private key by sending multiple specially crafted points to the victim, our attack is a MitM attack which modifies the public keys in a way that lets the attacker deduce the shared secret after a single key-exchange.

As a result of our attack all the current Bluetooth authenticated pairing protocols are insecure. The attack successfully compromises the encryption keys of 50% of the Bluetooth pairing attempts, while in the other 50% the pairing process of the victims is terminated.

After discovering this vulnerability in the Bluetooth protocol, we had tested many Bluetooth implementations. All the products we had tested were found to be vulnerable. Therefore, prior to our publication we informed all the major vendors about this critical vulnerability we found in their products. The vendors responded by releasing a patch to the billions of vulnerable devices around the world to prevent malicious use of this vulnerability.

After our publication, the Bluetooth Special Interest Group (SIG) published a security advisory recognizing our attack. Along with the security advisory the Bluetooth SIG released a modification to the core specification mitigating our attack. In addition, a test for our attack has been added to the Bluetooth product qualification program. The new test implements our suggested mitigation.

In addition to our new attack, we present a new research tool for Bluetooth. The tool was developed based on Broadcom's Bluetooth stack implementation, which combines both hardware and firmware. It allows for security analysis of the Bluetooth Protocol that was not available before. We used this tool to test our newly discovered attack. We also propose several other use cases for this new tool.